only update nf_conntrack_max if firewall is started

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1d88891c81ea47d77b403e8b46e99aa782e09951..003dde67c7acbb2542e5ae1a3c8539aff5426e6d 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1831,10 +1831,12 @@ sub get_rulset_cmdlist {
 }
 
 sub apply_ruleset {
-    my ($ruleset, $verbose) = @_;
+    my ($ruleset, $hostfw_conf, $verbose) = @_;
 
     enable_bridge_firewall();
 
+    update_nf_conntrack_max($hostfw_conf);
+
     my $cmdlist = get_rulset_cmdlist($ruleset, $verbose);
 
     print $cmdlist if $verbose;
@@ -1888,13 +1890,11 @@ sub update {
 
        my ($ruleset, $hostfw_conf) = PVE::Firewall::compile();
 
-       update_nf_conntrack_max($hostfw_conf);
-
        if ($start || $status eq 'active') {
 
            save_pvefw_status('active') if ($status ne 'active');
 
-           PVE::Firewall::apply_ruleset($ruleset, $verbose);
+           apply_ruleset($ruleset, $hostfw_conf, $verbose);
        } else {
            print "Firewall not active (status = $status)\n" if $verbose;
        }